[389-users] 389 certificate issues...

Chandrasekar Kannan ckannan at redhat.com
Sat Oct 3 01:09:40 UTC 2009 

On 10/02/2009 05:30 PM, Marc Sauton wrote:
> Trey Sheldon wrote:
>> Hello all,
>>
>> I've been evaluating and prepping to deploy 389 for a couple months 
>> now and while working on my final deployment I've run into a snag...
>>
>> I created two servers and successfully enabled SSL on them.  I'm 
>> attempting to create a third using the exact same procedure and can't 
>> seem to get SSL enabled.
>>
>> I used the admin-gui to install the request / install the certs and 
>> roots.
>>
>> ##WORKING
>> #certutil -L -d .
>> Certificate Nickname                                         Trust 
>> Attributes
>>                                                              
>> SSL,S/MIME,JAR/XPI
>> Metaweb Root Certificate                                     CT,,
>> Metaweb Host Root Certificate                                CT,,
>> server-cert                                                  u,u,u
>>
>> # certutil -L -d . -n server-cert
>> Certificate:
>>     Data:
>>         Version: 3 (0x2)
>>         Serial Number: 88 (0x58)
>>         Signature Algorithm: PKCS #1 MD5 With RSA Encryption
>>     Issuer: ........ <full certificate>
>>
>> ## NOT WORKING
>> # certutil -L -d .
>> Certificate Nickname                                         Trust 
>> Attributes
>>                                                              
>> SSL,S/MIME,JAR/XPI
>> Metaweb Root Certificate                                     CT,,
>> Metaweb Host Root Certificate                                CT,,
>> server-cert                                                  u,u,u
>>
>> # certutil -L -d . -n server-cert
>> certutil: Could not find: server-cert
>> : security library: bad database.
>>
> It means the nick-name provided to certutil does not exist in the NSS db.

certutil -X -d . (might help as it tries to open the db in write mode)...

> Aside cert8.db, key3.db, secmod.db files and directory permissions, 
> reading the 2 root certificates from this specific NSS db directory 
> for sanity check, is it possible the string "server-cert" that you 
> expect for the nickname was stored with some extra spaces appended to 
> it?...
> Is the cert visible in the console?
> Any specific errors in the console when you try to install the cert or 
> enable SSL?
>>
>> These systems are automatically deployed and configured and should 
>> have identical package revisions and configurations.  I'm at a blank 
>> to what is causing the problem.   Any insight that people have would 
>> be *greatly* appreciated.
>>
>> Sincerely,
>> Trey SHeldon
>>
>> -- 
>> 389 users mailing list
>> 389-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> -- 
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the Fedora-directory-users mailing list